Login Sign Up

CVE-2021-2108

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-2108 is a critical vulnerability in Oracle WebLogic Server that allows unauthenticated remote attackers to execute arbitrary code and completely compromise affected servers. The vulnerability affects WebLogic Server 12.1.3.0.0 and can be exploited via IIOP or T3 protocols without any authentication.

💻 Affected Systems

Products:
  • Oracle WebLogic Server
Versions: 12.1.3.0.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Core Components; exploitation requires IIOP or T3 protocol access which are commonly enabled.

📦 What is this software?

Weblogic Server by Oracle

View all CVEs affecting Weblogic Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover leading to data theft, ransomware deployment, lateral movement within the network, and persistent backdoor installation.

🟠

Likely Case

Remote code execution resulting in cryptocurrency mining, data exfiltration, or botnet enrollment.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation.

🌐 Internet-Facing: HIGH - CVSS 9.8 indicates critical risk for internet-facing servers due to unauthenticated remote exploitation.
🏢 Internal Only: HIGH - Even internally, the vulnerability allows complete server compromise without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple exploit tools and scripts are publicly available; exploitation is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update (CPU) January 2021 or later

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2021.html

Restart Required: Yes

Instructions:

1. Download January 2021 Critical Patch Update from Oracle Support. 2. Apply patch to WebLogic Server 12.1.3.0.0. 3. Restart WebLogic Server instances. 4. Verify patch application.

🔧 Temporary Workarounds

Block T3/IIOP Protocols

linux

Block access to T3 (port 7001) and IIOP protocols at network perimeter or host firewall

iptables -A INPUT -p tcp --dport 7001 -j DROP
iptables -A INPUT -p tcp --dport 7002 -j DROP

Disable T3 Protocol

all

Configure WebLogic to disable T3 protocol

Set weblogic.security.net.ConnectionFilterImpl in config.xml
Add filter rules to block T3 traffic

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WebLogic servers from untrusted networks
  • Deploy web application firewall (WAF) with specific rules to block T3/IIOP exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check WebLogic version: java weblogic.version; if output shows 12.1.3.0.0, system is vulnerable.

Check Version:

java weblogic.version

Verify Fix Applied:

Verify patch application: java weblogic.version should show post-January 2021 patch level; check Oracle home for patch files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual T3 or IIOP connection attempts
  • Unexpected process creation from WebLogic
  • Error logs containing serialization exceptions

Network Indicators:

  • T3 protocol traffic to port 7001 with unusual payloads
  • IIOP traffic with malicious serialized objects

SIEM Query:

source="weblogic.log" AND ("T3" OR "IIOP") AND ("error" OR "exception") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-2108
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON